Updated: 2009-02-12

To create an effective security plan for the 2007 Microsoft Office system, you must first identify the tools you are going to use to configure, deploy, and manage security settings in your organization. In some cases, a single tool is adequate for configuring, deploying, and managing settings. In other cases, you might need to use a combination of tools — one tool for configuring and deploying an initial configuration, and one tool for managing settings on an ongoing basis. Choosing the right tool is a critical step in the security planning process because it helps ensure that the security settings you planned for are actually deployed and enforced throughout your organization. It also helps ensure that you can modify security settings after the initial rollout, enabling you to respond to sudden security threats.

Although you can use a wide range of tools and techniques to deploy and manage desktop applications in enterprise environments, we recommend that you use only the Office Customization Tool (OCT) and the 2007 Office system Group Policy Administrative Templates (.adm files) to configure, deploy, and manage security settings in the 2007 Office system. Each tool has different requirements and limitations, and provides different features and functionality. Choosing the correct tool requires careful evaluation of your organization's existing deployment and management infrastructure, your organization's security architecture, and your organization's security needs. To determine which tool is appropriate for your organization, use the best practices and recommendations that are provided in the following sections to evaluate each tool.

Office Customization Tool

The OCT is a new graphical user interface tool that helps you create a configuration (.msp) file. A configuration file can contain a wide variety of information, including installation instructions, licensing information, and application settings, such as security settings and privacy options. You can use a configuration file in the following two ways:

  • In conjunction with the Setup program to customize the installation process during a large-scale rollout.

  • In conjunction with Windows Installer 3.1 to update or maintain configuration settings during the operations phase of the software life cycle.

To use a configuration file to customize the installation process, you perform the following tasks:

  1. Use the OCT graphical user interface to configure setup options and application settings.

  2. Save the settings and options to an .msp file.

  3. Run the Setup program on your client computers, using command-line parameters to specify the .msp file that you want the Setup program to use.

To use a configuration file to update or maintain existing installations, you perform the following tasks:

  1. Use the OCT graphical user interface to configure application settings in an existing or new .msp file.

  2. Save the new application settings in the .msp file.

  3. Run Windows Installer on your client computer, using command-line parameters to specify the .msp file that you want Windows Installer to use.

For more information about using the OCT, see Office Customization Tool in the 2007 Office system and Customize the 2007 Office system.

Requirements and limitations

Although the OCT is new, it does not require any special infrastructure enhancements. For example, you do not need to modify your existing hardware, software, network topology, or security architecture to use the OCT. Nevertheless, the OCT has the following requirements:

  • You must use the OCT in conjunction with the Office Setup program. The OCT only generates .msp files. It does not apply security settings to computers. You must use the Setup program to install the 2007 Office system and apply the security settings that are saved in the .msp files.

  • You must use the Setup program that is included in the 2007 Office system because it is the only supported installation program that can read the data in OCT-generated .msp files and add the security settings (and other settings) to the registry.

  • The computers on which you run Setup and the OCT must have Windows Installer 3.1 installed.

  • You must be a member of the Administrators group on the local computer to run the OCT and the Office Setup program.

When deciding whether to use the OCT to configure and manage security settings, you should consider that the OCT has the following two limitations:

  • You cannot lock down or enforce security settings with the OCT. The OCT configures application settings in publicly accessible portions of the registry, such as HKEY_CURRENT_USER/Software/Microsoft/Office/12.0. If you use the OCT to configure or manage security settings for the 2007 Office system, users can modify the security settings that you deploy. These settings are considered user preferences rather than managed settings because users can change them. If you want to enforce security settings, use Group Policy.

  • You can configure only one block file format setting with the OCT. Block file format settings enable you to prevent users from opening or saving certain file types or file formats. These settings are useful if you want to prevent users from using older file formats or if you want to mitigate zero-day attacks.

Common scenarios

You can use the OCT and the Setup program to configure, deploy, and manage security settings in many IT environments. The following sections describe scenarios in which the OCT and the Setup program are particularly useful.

Unmanaged environments

The OCT is commonly used by organizations that do not centrally manage their desktop applications or do not remotely manage their desktop environments. In these cases, you can use the OCT and the Setup program to configure, deploy, and manage security settings without using a remote administration tool such as Microsoft Systems Management Server 2003, or a policy-based tool, such as Group Policy.

Initial security configurations

The OCT is commonly used to establish initial security configurations even though Group Policy is used to lock down or enforce security settings. This helps ensure that security settings are configured during initial rollout and before the first policy update occurs. Using the OCT to create an initial security configuration also enables you to reset the security settings on a computer by reapplying the initial configuration file.

Partially locked-down environments

The OCT is useful in partially locked-down environments in which a critical subset of security settings are locked down through Group Policy, but other security settings are not locked down and can be configured by users. In this scenario, most of the security settings are configured during initial setup by using an OCT-generated configuration file (.msp file), and critical security settings are deployed and managed through Group Policy after the initial setup is complete.

Group Policy Administrative Templates

The 2007 Office system includes 15 Administrative Templates, which enable you to manage security settings through local or domain-based Group Policy. Administrative Templates are Unicode text files that Group Policy uses to describe where registry-based policy settings are stored in the registry. All registry-based policy settings appear and are configured in the Group Policy Object Editor under the Administrative Templates node. Administrative Templates do not apply policy settings; they enable you to view the policy settings in the Group Policy Object Editor. Administrators can then create Group Policy objects (GPOs) containing the policy settings that they want to use. For example, you might have one GPO that contains various policy settings for managing ActiveX controls, add-ins, and macros.

The registry values used for Group Policy settings are stored under the approved registry keys for Group Policy. Users cannot change or disable these settings. Group Policy settings that administrators can fully manage are referred to as "true policies." True Group Policy settings have ACL restrictions to prevent users from changing the settings. The approved Group Policy registry keys are:

For computer policy settings:

  • HKEY_LOCAL_MACHINE\Software\Policies (the preferred location)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

For user policy settings:

  • HKEY_CURRENT_USER\Software\Policies (the preferred location)

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

For more information about Administrative Templates, and Group Policy and OCT, see Administrative Templates extension, and Office Customization Tool and Group Policy in Group Policy overview (2007 Office system). For more information about using Administrative Templates to configure, deploy, and manage security settings, see Enforce settings by using Group Policy in the 2007 Office system.

Requirements and limitations

If you are installing the 2007 Office system on computers that are running the Microsoft Windows XP, Microsoft Windows Server 2003, or Windows Vista operating systems, you must meet the following requirements to use Administrative Templates.

  • You must have the Active Directory directory service deployed in your organization to configure, deploy, and manage security settings through domain-based Group Policy settings.

  • You must be a member of the Administrators group on the local computer to configure, deploy, and manage security settings through local Group Policy settings.

When deciding whether to use Administrative Templates to configure and manage security settings, you should consider that Administrative Templates have the following limitations:

  • Group Policy does not provide a mechanism for rolling back settings to an initial configuration. If you deploy your initial configuration settings with Group Policy and you make subsequent changes to Group Policy settings, you must reconfigure each of your subsequent changes to revert to your initial configuration. Disabling or deleting the Group Policy object that contains your settings will change all settings to Not Configured.

  • You cannot configure trusted publishers settings with Group Policy. You can add digital certificates to the list of trusted publishers only with the OCT.

  • If your organization is small and you are not already using Active Directory, the administrative overhead required to understand and implement Group Policy in an Active Directory environment might make implementing domain-based Group Policy prohibitive.

Common scenarios

Group Policy can be used to configure, deploy, and manage security settings in many IT environments. The following sections describe scenarios in which Administrative Templates are particularly useful.

Managed environments

Administrative Templates are useful in organizations that use Group Policy to manage their desktop environments. This is true whether you have deployed Active Directory and you manage your desktop environment with domain-based Group Policy, or you do not have Active Directory installed but you manage your desktop environment with local Group Policy.

Locked-down environments

Administrative Templates are useful in locked-down environments in which users have little control over their desktop configuration. In this scenario, all security settings are deployed and managed through Group Policy. Any security settings that are configured during initial setup are overridden by the Group Policy settings.

Implementing block file format settings

Administrative Templates are the only way to effectively implement the block file format settings, which enable you to prevent users from opening certain file formats or file types. These settings are useful for mitigating zero-day attacks when you know the specific file type or file format that poses a risk to your organization. These settings are also useful for preventing users from using older file formats or forcing users to use the same file formats.

Choosing a tool

The following table compares the features and capabilities of the two recommended tools that you can use to configure security settings in the 2007 Office system. Use the information in the table to evaluate each tool and determine which tool is most appropriate for your organization.

Features and capabilities Administrative Templates OCT + Setup

Requires Active Directory.

Yes (domain-based Group Policy)

No (local Group Policy)

No

Requires Windows Installer 3.1.

No

Yes

Requires administrative credentials on the client computer.

Yes (local Group Policy)

No (domain-based Group Policy)

Yes

Can be used to lock down security settings.

Yes

No

Can be used to manage security settings after initial installation.

Yes

Yes

Can be used to establish initial security configurations.

Yes (not ideal)

Yes

Can be used to configure block file format settings.

Yes (all settings)

Yes (however, only one setting)

Can be used to add publishers to the list of trusted publishers.

No

Yes

Download this book

This topic is included in the following downloadable books for easier reading and printing:

See the full list of available books at Office Resource Kit information.

See Also